...
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a bug (logic error). This is different than overflow, where there is simply a representational deficiency (see INT32-C. Ensure that operations on signed integers do not result in overflow).
...
Noncompliant Code Example (Left Shift, Signed Type)
The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. If E1 has a signed type and nonnegative value and E1 * 2 E2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.
...
In C99, the CHAR_BIT macro defines the number of bits for the smallest object that is not a bit-field (byte). Consequently, a byte contains CHAR_BIT bits.
...
Noncompliant Code Example (Left Shift, Unsigned Type)
The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. According to C99, if E1 has an unsigned type, the value of the result is E1 * 2 E2, reduced modulo one more than the maximum value representable in the result type. Although C99 specifies modulo behavior for unsigned integers, unsigned integer overflow frequently results in unexpected values and resultant security vulnerabilities (see INT32-C. Ensure that operations on signed integers do not result in overflow). Consequently, unsigned overflow is generally non-compliant noncompliant and E1 * 2 E2 must be representable in the result type. Modulo behavior is allowed if the conditions in the exception section are met.
...
| Code Block | ||
|---|---|---|
| ||
unsigned int ui1, ui2, uresult;
/* modulo behavior is allowed on mod1 and mod2 by exception */
unsigned int mod1, mod2;
if ( (ui2 >= sizeof(unsigned int)*CHAR_BIT)
|| (ui1 > (UINT_MAX >> ui2))) )
{
/* handle error condition */
}
else {
uresult = ui1 << ui2;
}
if (mod2 >= sizeof(unsigned int)*CHAR_BIT) {
/* handle error condition */
}
else {
/* modulo behavior is allowed by exception */
uresult = mod1 << mod2;
}
|
...
Noncompliant Code Example (Right Shift)
The result of E1 >> E2 is E1 right-shifted E2 bit positions. If E1 has an unsigned type or if E1 has a signed type and a nonnegative value, the value of the result is the integral part of the quotient of E1 / 2 E2. If E1 has a signed type and a negative value, the resulting value is implementation-defined and may be either an arithmetic (signed) shift, as depicted here,
...
or a logical (unsigned) shift.
This non-compliant noncompliant code example fails to test whether the right operand is negative or is greater than or equal to the width of the promoted left operand, allowing undefined behavior.
...